HP-UX Containers (SRP) A.03.01 Administrator’s Guide HP-UX 11iv3 Table of contents Preface ............................................................................................................................................... 5 Intended audience............................................................................................................................ 5 Typographic conventions ..........................................................................................................
4.8 Container Manager – stopping a container ................................................................................. 27 5 Configuring HP-UX Containers using the srp_sys command .................................................................. 29 5.1 Configuring the system for HP-UX Containers............................................................................... 29 5.2 Displaying subsystem properties .........................................................................................
15.2.1 Displaying system container user, group, and process names from the global view ................. 76 15.3 Security features .................................................................................................................... 77 15.3.1 Extended security attributes............................................................................................... 77 15.3.2 Audit ..................................................................................................................
Appendix A: Container default route script for Serviceguard ................................................................. 120 Appendix B: Direct customization of container properties ..................................................................... 123 B.1 Execute customer defined operations via provision scripts ........................................................... 123 B.2 Customize security containment definition (not supported for system containers)............................. 123 B.2.
Preface This document describes how to install, configure, and troubleshoot HP-UX Containers (formerly Secure Resource Partitions (SRP)). Intended audience This document is intended for system and network administrators responsible for installing, configuring, and managing HP-UX Containers – formerly Secure Resource Partitions (SRP). Administrators are expected to have knowledge of operating system and networking concepts, commands, and configuration.
points of the main text. Related information For more information about the products and subsystems used with HP-UX Containers, see the following documentation: Document Location HP 9000 Containers Administrator’s Guide http://www.hp.com/go/hp9000-containers HP-UX Security Containment and Role-Based Access Control (RBAC), documented in the HP-UX System Administrator's Guide: Security Management: HP-UX 11i v3. http://www.hp.com/go/hpux-core-docs Select the HP-UX 11i v3 product.
made. Document updates may be issued between editions to correct errors or document product changes. To ensure that you receive the updated or new editions, you should subscribe to the appropriate product support service. See your HP sales representative for details. This document is located at: www.hp.com/go/virtualization-manuals Select the HP-UX Containers (SRP) Software product.
Part I: Getting started 8
1 Introduction HP-UX Containers allows you to deploy multiple isolated container-based environments on a single server platform. This allows the enterprise to host multiple workloads on a single operating system instance, thereby better utilizing server resources (CPU, memory, network access) and data center resources (power, cooling, footprint), and reduce the overall number of operating system instances to manage.
1.4 Isolation and namespace Container isolation is provided by applying a combination of access restrictions and private namespace features. Access restrictions HP-UX Containers uses HP-UX Security Containment Compartments features to limit access to file system paths, network interfaces, kernel functionality, inter-process communication (IPC) and process view/signaling for processes executing within containers. Each container is configured with its own compartment definition.
based file system view, hostname, IPC namespace, and service daemons. Common system administration activities such as user management are performed within each system container. • Workload: Provides lightweight workload hosting environment. All workload containers share the global file system view, hostname, IPC namespace, and service daemons. System administration activities are shared with the global view. • HP 9000: Provides a binary emulation environment for HP-UX PA-RISC workloads.
Figure 1.1 HP-UX Containers on HP-UX Integrity 1.7 Compatibility with other virtualization continuum products HP-UX Containers is a component of the Virtualization Continuum for HP-UX and is compatible with HP-UX nPartitions, HP-UX vPars, and Integrity Virtual Machine (VM) solutions. You can create a container in any HP-UX OS image; the OS image can exist in an nPartition, vPars, Integrity VM, or directly on non-partitioned server hardware.
2 Installing HP-UX Containers You can acquire and install HP-UX Containers free of charge from HP Software Depot: http://www.software.hp.com For system and environment requirements, see the HP-UX Containers (SRP) A.03.01 Release Notes located at: www.hp.com/go/virtualization-manuals Select the HP-UX Containers (SRP) Software product. 2.1 Upgrading to HP-UX Containers A.03.
Part II: Managing containers 14
3 HP-UX Containers components HP-UX Containers includes the following components to help manage the containers: • • • • • • • • The The The The The The The The Container Manager srp_sys command srp command srp_init daemon srp_su command srp_ps command srp_check command srp_sync command 3.1 The Container Manager The Container Manager is integrated with System Management Homepage (SMH) and provides a graphical user interface (GUI) to configure and manage containers.
3.5 The srp_su command The /opt/hpsrp/bin/srp_su command allows a user in the global view to launch a shell (via su(1) command) in the specified target container. This can be used by system administrators for the purpose of login or command execution within a container. See 8 Using the srp_su command for more information. 3.6 The srp_ps command The /opt/hpsrp/bin/srp_ps command reports process status for a specific container on your system. See 9 Using the srp_ps command for more information. 3.
4 Using Container Manager The Container Manager is integrated in the System Management Homepage (SMH) and provides a graphical user interface (GUI) to configure and manage system and workload containers.
Figure 4.1 SMH: Selecting Container Manager 4.2 Container Manager home page The Container Manager home page provides a view of all containers on the system including current state and resource utilization for each container. Figure 4.2 shows the Container Manager home page.
Figure 4.2 Container Manager home page NOTE: From the Container Manager help files, select the Displaying Container List and Status help menu item for more information on the Container Manager home page. 4.3 Accessing Container Manager help To access help information for any Container Manager page, click the question mark icon located in the upper right corner of the Container Manager homepage. 4.
Figure 4.3 shows the System Properties tab after the user enabled the selected system properties and rebooted the system. Figure 4.3 Enabling the system properties NOTE: From the Container Manager help files, select the Properties help menu item for more information on the System Properties page. 4.5 Container Manager – creating a container You can use the Container Manager to create a new container on your system. When you create a container, you select the type of container: workload or system.
In Figure 4.4, the user selects to create a system container. Figure 4.4 Container Manager – creating a system container: selecting a type In Figure 4.5, the user enters the required fields and modifies any optional fields as desired. Figure 4.5 Container Manager – creating a system container NOTE: From the Container Manager help files, select the Create a container help menu item for more information on creating a container.
4.6 Container Manager – viewing or modifying a container You can view or modify the configuration of a container once it has been created. Modifying some parameters (such as networking parameters) requires that the container be in the stopped state. To add, delete, or modify an application template configuration, you must restart the container. Follow these steps to view or modify a container: 1.
Figure 4.6 Container Manager – viewing or modifying a container NOTE: From the Container Manager help files, select the Viewing or Modifying a Container help menu item for more information on viewing or modifying a container.
You can also configure multiple IP addresses for a container. In Figure 4. 7, the user clicks on + add new instance in the Configure Networking Service section, to add an IP address to Container_001. Figure 4.
4.7 Container Manager – starting a container You can start a container if it is currently in the stopped state. The current state of each container is displayed on the Container Manager home page. From the Container Manager home page, follow these steps to start a container: 1. Click on the container that you want to start. 2. Click Start located in the right hand task bar. In Figure 4.8, the user selected Container_004. Figure 4.
In Figure 4.9, once the user selected Container_004 and clicks on Start…, the following status window is displayed. Figure 4.9 Container Manager – starting a container NOTE: From the Container Manager help files, select the Starting a Container help menu item for more information on starting a container.
4.8 Container Manager – stopping a container You can stop a container if it is currently in the started state. The current state of each container is displayed on the Container Manager home page. From the Container Manager home page, follow these steps to stop a container: 1. Click on the container that you want to stop. 2. Click Stop located in the right hand task bar. In Figure 4.10, once the user selected Container_004 and clicks on Stop…, the following status window is displayed.
Figure 4.10 Container Manager – stopping a container NOTE: From the Container Manager help files, select the Stopping a Container help menu item for more information on stopping a container.
5 Configuring HP-UX Containers using the srp_sys command The /opt/hpsrp/bin/srp_sys command is used to enable, disable, view, and update systemwide configuration properties that affect the HP-UX Containers product. The srp_sys command has the following syntax: srp_sys [-s[etup]] srp_sys [-e[nable]]|[-d[isable]] [subsystems[,...]] [variable=value [...]] srp_sys [-l[ist]] [subsystems[,...
The srp_sys –enable option allows you to run the srp_sys command in the noninteractive mode. If no subsystem is specified, a default set of required HP-UX subsystems is enabled (coreset, migrate, cmptlogin, prm, and sshd). • Using srp_sys with the –setup option: The srp_sys –setup command ensures that the system is in an appropriate state to successfully configure containers. If a subsystem is not enabled, srp_sys prompts you to specify if you want to enable the service.
explicit network compartment network rule matching the communication attempt. • cmpt_namedstrs Configures named streams to be compartment aware. cmpt_restrict_tl Required for the HP-UX Containers product to support ONC services. Configures the streams loopback driver (TL) to be compartment aware. Compartment login (cmptlogin) This feature is required for configuring workload containers.
apply IPSec policies to encrypt and authenticate packets between the container IP address and a remote IP address. • Secure Shell Daemon for Global View (sshd) The Secure Shell daemon (sshd) in the global view listens to all IP addresses. These interfere with the Secure Shell daemons in the container. To prevent the Secure Shell Daemon from listening on the containers IP addresses, this service restricts sshd to listen to a specific global view assigned IP address.
The SRP product has detected at least one workload container that needs to be migrated. Migration can be performed at anytime by executing the command '/opt/hpsrp/bin/util/srp_migrate' Migrate all existing workload containers? [y] n RETURN Specify which workload containers to migrate? [n] RETURN ############################## # # cmpt Login configuration # ############################## Checking compartment login feature ...
# # sshd configuration # ############################## Checking sshd configuration ... [ Not Enabled ] The Secure Shell daemon (sshd) in the global view is listening to all IP addresses. This will interfere with Secure Shell daemons in SRP containers. Restrict the IP addresses that sshd listens to in the global view? [y] RETURN Enter IP addresses, separated by comma ',': [16.92.124.238] sshd will then listen on these interfaces: 16.92.124.
Status Description validation check, or is configured with an invalid option for the HP-UX Containers. Disable on Boot The subsystem has been marked to be disabled, but needs a reboot to fully be disabled. Until the reboot has happened, parts of the subsystem will be still enabled.
6 Managing containers using the srp command The srp command is the command level interface available to configure containers. It allows you to add, update, delete, list, and manage containers (see srp(1M)). 6.1 Templates, services, and variables The srp command uses templates to determine the type and actions to be performed on a container. Templates consist of modular units called services which groups the actions performed on each functional component of a container.
Service Name ipsec Description Configures HP-UX IPSec policies for the primary network interface of the container. Variables You can set variables when you create a container and modify them once the container is created. Examples of variables include ip_address and iface. 15.8 System templates lists the variables valid for each system container template. 16.8.1 Workload template lists the variables valid for each workload container template. 6.
Example 6.1 Creating a system container using the srp command # /opt/hpsrp/bin/srp -a myContainer –t system Enter the requested values when prompted, then press return. Enter "?" for help at prompt. Press control-c to exit.
6.3 Starting and stopping a container If a container is configured to autostart during creation, then it is automatically started at system startup time. All the containers are automatically stopped at system shutdown time. You can use the srp –start command to start a container and the srp –stop command to stop a container. To start a container, enter: srp -start container_name To stop a container, enter: srp -stop container_name Where container_name specifies the name of the container.
Starting Starting Starting Starting HP-UX Tomcat-based Servlet Engine .............. HP-UX Webmin-based Admin ....................... the HPUX Webproxy subsystem .................... HP-UX XML Web Server Tools ..................... N/A N/A N/A OK The HP-UX SRP Container is ready. # Example 6.3 Stopping a container # srp -stop myContainer SRP stop in progress ____________________ Stopping HP-UX Apache-based Web Server .......................... OK Stopping HP-UX Tomcat-based Servlet Engine. .............
Example 6.4 Displaying the status of a container # srp -status myContainer NAME myContainer TYPE system STATE started SUBTYPE shared ROOTPATH /var/hpsrp/myContainer 6.
variable=value A valid variable for the specified service when used with the specified template and the value for the variable. To list the valid variable names for a service used with a given template, you can use the srp -h -v template template_name -service service_name command. See 6.7 Displaying help text for input parameters to display help text for the input parameters template, service, instance and variable.
The following template variables have been set to the values shown: prm_cpu_shares = 20 Press return or enter "yes" to make the selected modifications with these values. Do you wish to continue? [yes] RETURN replace prm rules succeeded # In Example 6.7, the user deletes the container myContainer that is in the stopped state but keeps the container’s local files and directories. Example 6.
template Specifies the templates for which you want to display parameters. Valid Input: workload, system, apache, tomcat, custom, oracledb, sshd. Default: workload service Specifies the services for which you want to display parameters. 15.8 System templates lists the services valid for each system container template. 16.8.1 Workload template lists the services valid for each workload container template. Default: The default services that are valid for the template.
• Migrate a container across systems: export and import a container, then delete the original container. • Create a new container by copying an existing container: export a container, then import the container with a new name and network configuration. • Create a copy of a container for archival purposes. Similarly, a container can be taken offline by exporting and deleting the original container. In Example 6.
import compartment rules succeeded import RBAC admin role for compartment succeeded import prm rules succeeded import ipfilter rules succeeded import ipsec rules succeeded creating mount points ... restoring filesystems: this will take some time ... Running product fitness test ... Scanning the products in "newContainer" please be patient.... Scanning the patches in "newContainer" please be patient.... Scan complete, "newContainer" matches the global products/patches. Configuring device files ...
NOTE: • To export the directories mounted via the fstab (/var/hpsrp/container_name/etc/fstab) file of the container, you must mount the directories prior to executing the srp –export command, as follows: 1. Start the container: #srp –start container_name 2. Export the container: #srp –export container_name 3.
preview Checks whether this system will accept the exchange file for import. If you specify the preview option, only import validation is performed. exchange_file Specifies the existing exchange file name. The srp –export command creates the exchange file. The default is srp.exchange.
when determining a target system for the container to import. • Consider using shared storage or file systems when creating a container that will be cloned For workload containers: By using shared storage for a container’s home directory and any file systems mounted within the container, you will not need to export and import file sets, and the data between containers will remain consistent. For system containers: Containers should only share application directories and data across systems.
7 Using the srp_init command The /sbin/srp_init command serves as a daemon and as a command to interact with the daemon. The srp_init daemon is the first process launched inside a container when the container is started. The srp_init daemon is a container process spawner that launches processes based on the entries in the container’s /etc/inittab file. It also monitors the processes it spawns during the lifetime of the container. 7.
NOTE: When running HP-UX commands in the workload container that reference the utmp, wtmp, and btmp database files (for example, who, last, write, and login), the database files referenced are in the global view. Because workload containers do not have private copies of these database files, the output is not specific to the container, but instead to the global view. For a workload container, the old and new run levels will be updated in the /var/hpsrp/container_name/var/opt/hpsrp/tmp/utmp.runlvl file. 7.1.
8 Using the srp_su command The srp_su command executes the su(1) command in the specified container. It can be used to login to a container or execute a single command before returning to the global view. You must execute the srp_su command from within the global view. The srp_su command has the following syntax: srp_su container_name [su_arguments] Where: container_name Specifies the name of the target container. su_arguments Specifies any valid su(1) arguments. 8.
9 Using the srp_ps command When you run the standard ps command in the global view, it will report all the processes on the system including all the processes in containers. To report process status for a specific container from the global view, use the /sbin/srp_ps command.
10 Establishing a user session in a container HP recommends the following methods to establish a user session in a container: • srp_su Use this command from the global view to establish a user session within any type of container. Note that by default, this command is restricted to the root user. For example: # srp_su myContainer See 8 Using the srp_su command for instructions on how to use the srp_su command.
11 Container startup and shutdown The HP-UX Containers startup and shutdown script (/sbin/init.d/srp) executes when the system transitions to run level 3 during startup, and executes when the system transitions down to run level 2 during shutdown. The following startup and shutdown scripts are linked to /sbin/init.d/srp: /sbin/rc3.d/S999srp /sbin/rc2.d/K001srp Containers that are configured to autostart will be started when the /sbin/rc3.d/S999srp script is run at system startup.
The container setup and shutdown script (/var/hpsrp/container_name/.setup/setup) are executed in the global view before and after startup and shutdown of the container. You can modify the script to perform container management activities at container start and stop time that cannot be performed inside the container, such as notifying management or auditing systems, or mounting the container home directory (/var/hpsrp/container_name).
12 Networking with containers All container types require an IP address to allow network interaction with remote systems. All network activity between a container and other network endpoints will use the IP address dedicated to the container. Once you have assigned an IP address to a container, the IP address can only be used while the container is started. When the container is stopped, the IP address is unavailable.
You can specify any valid physical interface for the iface parameter that the ifconfig(1M) command will accept. You do not have to specify a logical interface format (lan0:x); the srp command will find the next available, unassigned logical interface for the physical interface that you specify. Once assigned, however, the logical interface is statically configured in the /etc/rc.config.d/netconf[-ipv6] configuration (unless you opted to not manage the network interface in the netconf file).
INTERFACE_SKIP="true" IP_ADDRESS="16.92.121.29" TYPE="ipv4" SUBNET_MASK="255.255.252.0" INTERFACE_STATE="up" BROADCAST_ADDRESS="" DHCP_ENABLE="0" INTERFACE_MODULES="" CMGR_TAG="compartment="myContainer" template="system" service="network" id="1"" ROUTE_DESTINATION="default" ROUTE_SKIP="true" ROUTE_MASK="" ROUTE_GATEWAY="16.92.121.29" ROUTE_COUNT="0" ROUTE_ARGS="" ROUTE_SOURCE="16.92.121.
MEM Entitle:25.00% CPU Entitle:7.69% MEM Max:(none) CPU Max:(none) Usage:6.85% Usage:0.00% If you need to modify any of the managed networking service fields for an existing container instance, use the srp –replace containername –service network –id command to alter one or more of the existing values for the container instance. The instance value should exist in the container configuration. Refer to the srp –list containername –service network –v output for appropriate instance reference.
ROUTE_MASK[10]=”255.255.255.0” ROUTE_GATEWAY[10]=”” ROUTE_COUNT=[10]=”1” ROUTE_ARGS[10]=”” ROUTE_SOURCE[10]=”” The field must be reachable from the address by being on the same subnet as the address. NOTE: You should be familiar with shell scripting when managing the network configuration, as well as syntax for the route(1m) and ifconfig(1m) commands. 12.
address configuration. The ROUTE_SOURCE IP address is used to identify the correct container route entries. Connectivity between containers and the global view are permitted by default. The routing between each area is managed internally without going out on the physical network.
ROUTE_PARAMS[9]="force" NOTE: Configuring cross-container rules can interfere with the ability to import containers to another system. See 6.9 Copying containers by exporting and importing for more details. 12.7 IP Routers and strong end system (ES) model To ensure proper routing, HP-UX Containers configures the system to use the strong end system (ES) model, as described in RFC 1122 to provide symmetric routing of connection based network traffic.
13 Using Serviceguard with containers Serviceguard allows you to create high availability clusters of HP 9000 or HP Integrity Servers. A high availability computer system allows application services to continue in spite of a hardware or software failure. Highly available systems protect users from software failures as well as from failure of a system processing unit (SPU), disk, or local area network (LAN) component. In the event that one component fails, the redundant component takes over.
• If you want to use the Serviceguard network failover capability, then Serviceguard must control the management of the network interface. IMPORTANT: Unlike HP-UX Containers, Serviceguard does not support the system network configuration files /etc/rc.config.d/netconf and netconf-ipv6. Therefore, a Serviceguard package during startup can unknowingly use container assigned network interfaces which are not active when the package is started, but are configured in /etc/rc.config.
Serviceguard access the container. You must prepend the srp_su command to the command that requires execution within a container. In the following example, the representative Serviceguard package was modified to control myContainer, a package executing in the container.
directory, then the Serviceguard package should mount and unmount the home directory before starting and stopping the container. Either HP-UX Containers or Serviceguard can manage the network interfaces. Similar to the classic model, if Serviceguard is managing the network interfaces, HP recommends that the package is configured to create the default route for any container IP addresses. See Appendix A: Container default route script for Serviceguard for an example.
Part III: Container type specific management 68
14 Container types HP-UX Containers supports deployment of containers of different types on the same system. In order to choose the container type best suited for your workload, you should determine which container properties best meet your needs. 14.1 System containers System containers provide additional virtualization and private namespace capabilities over workload containers that give users the look and feel of a private operating system instance.
Property Workload Container System Container (private FS) Memory overhead per container Negligible CPU/ networking/storage access overhead per container Negligible CPU and memory allocation controls Guaranteed minimum or dedicated Private namespace support Network portspace Processes Isolated System services provisioned per container Secure Shell (optional) Lifecycle Per container init processing, start, stop, import, and export. User management Managed from the global view.
Property Workload Container System Container System Container (private FS) (shared FS) To mount a device within a container,you must first provision the device to the container from the global view. SD software installation Installed once from the global view. Products with targeted install location may be installed into container. Installed from the global view and pushed to each container.
14.4 Choosing a container type HP-UX Containers provide multiple container types to meet consolidation needs of the environment. However, it is important to choose the right container type for the workload before embarking on your consolidation effort. A workload can be defined as a related set of applications and supporting services – far more than just an application.
15 System container With a system container, you can perform various management tasks only from the global view (see 15.7 Limitations and disallowed ), and others from within the container.
A system container with a shared file system subtype has a smaller disk footprint and is faster to create as the system binary directories /usr and /sbin are shared with the global view. It is ideal for application deployment that does not require write access to /usr and /sbin and the software version can be in sync with the global view version. A system container with a private filesystem subtype provides write access to all the directories except /stand.
character device (for example, /dev/rdisk/disk10) within the system container as described in 15.4 Managing Devices . Since operations such as creating a file system on a device using the mkfs command is not allowed within a system container, you must create the file system on a device before provisioning it in the container. NFS mount must be done within a container.
/dev/vg53/lvol4 /etc/mymnt 4096000 30945 3811084 8192000 4146427 3794023 1% /httperf 52% /tmp/mymnt # ls /dev/vg53/lvol4 /dev/vg53/lvol4 not found In the previous sample output example: • The first entry refers to the container root (/) . • The next two entries are mounts created for the container from the global view. • The last entry refers to a lofs mount created within the container. 15.
kctune srp_obfuscate_enabled=0 kctune srp_obfuscate_enabled=1 kctune srp_obfuscate_enabled=2 kctune srp_obfuscate_enabled=3 (default) # # # # to to to to disable all process related obfuscation enable UID and GID obfuscation only enable process name obfuscation only enable all process related obfuscation 15.3 Security features 15.3.
Once auditing is configured, all audit records generated by processes in all system containers, as well as audit records generated by processes in the global, are written to the audit log files in the global view. 15.3.2.2 Audit record viewing in the global view An administrator in the global view can use the auditdp(1M) command to view audit records generated by processes in any system container or in the global view.
15.4 Managing devices A system container is provisioned with devices that can operate within the scope of the container only. These devices are: • • • • • • Pseudo-transport devices (such as /dev/tcp and /dev/ip) Pseudo-terminal devices (such as /dev/pty*) Mount device (/dev/mnttab) Random number generator (/dev/random) Null device (/dev/null) Privilege-aware devices that can restrict the operations (such as /dev/devkrs and /dev/config). Devices cannot be created from within a system container.
SD command swpackage swreg swverify swinstall swremove swconfig Global view Unchanged Unchanged Unchanged Enhanced Enhanced Enhanced System container Unchanged Unchanged Unchanged Not supported (blocked) Not supported (blocked) Not supported (blocked) 15.5.1 Managing software 15.5.1.1 Installing software The swinstall command is used to install the software selection from a software source. By default, the software is configured to use after installation.
15.5.1.3 Removing software The swremove command is used to remove software selection from the system. When removing installed software, swremove also unconfigures the software before it is removed. As in the case of installation of a software product that requires a reboot, the removal of the product occurs first in the global view, then in each system container, followed by a reboot of the entire system.
2. Copy the remote directory locally using other HP-UX tools. 3. Use NFS to mount the depot on the local filesystem. 4. If the depot is on media, physically place it in a local drive. For example, you can copy a remote registered depot to the global system as follows: # swcopy -s remote_machine:/depots/remote.depot PRODUCT @ /depots/myproduct.depot 15.5.3 Allowed products The products that are installed in the system containers are a subset of the products installed in the global system.
• If neither global_srp nor local_srp_list options are specified, then the install, remove, or configure will occur on the system and all system containers. • If the global_srp=true and local_srp_list options are not specified, then the install, remove, or configure will occur only on the system. • If the global_srp=true and local_srp_list options are set, then the install, remove, configure will occur on the system and the listed system containers.
maintenance (using srp –maint container_A) and then enter the container (using srp_su –M container_A). 2. Take corrective action based on the information in the swagent.log file. 3. Change the state of the container back to stopped using srp -stop container_A. 4. Install the product by targeting the container: # swinstall –x local_srp_list="container_A" -s \ /tmp/myproduct_version_2.
ERROR: The update-ux command cannot continue because at least one containers is in the 'started' state. Please run 'srp -stop -batch' to stop all running containers. You can specify a remote depot when using the update-ux command. With HP-UX Containers enabled and with existing system containers configured, the system must have at least 5 GB of disk space available under the /var directory when specifying a remote depot.
• If you have applied IPFilter for the container, ensure that any additional ports used by the application are allowed. When the ipfilter service is enabled for the container, by default the inbound network connections to the container are blocked. You must configure the ipfilter service to allow inbound connections to any network ports that the application will listen on. • Use the custom template to apply additional IPFilter capabilities to the container for the application.
Disallowed Privilege ACCOUNTING Description Example Allows a process to control the process accounting system acct(1M), acctsh(1M) AUDCONTROL Allows a process to start, modify, and stop the auditing system. audsys(1M) CHANGECMPT Grants a process the ability to change its compartment. privrun (1M) CMPTREAD Allows a process to open a file or directory for reading, executing, or searching, bypassing compartment rules.
Disallowed Privilege REBOOT Description Example Allows a process to perform system reboot. reboot(1M) RULESCONFIG Allows a process to add and modify compartment rules. setrules(1M) SPUCTL Allows a process to perform certain administrative operations in the Instant Capacity product. SWAPCTL Allows a process to manage and configure swap space. SYSNFS Allows a process to export a file system. TRIALMODE Allows a process to log privileges required to execute in the syslog file.
Service Variable allow_sw_mismatch init* autostart subtype configure_dns root_password (+) change_password domain_name dns_server_ip device_list device Provision_fs delete_files_ok prm prm_group_name prm_group_type prm_cores prm_cpu_shares prm_cpu_max prm_mem_shares Description to be copied during the import and export operations. Default: var/hpsrp/container_name Allow import to proceed if software products on the source and destination systems do not match.
Service Variable prm_mem_max prm_phys_mem network* ip_address(+) assign_ip iface(+) ip_mask gw_ip_address ipfilter ipf_for_ipsec ipsec ipsec_peer_addr(+) ipsec_transform Description Default: 10 Specifies a max (upper bound) for memory consumption of system’s memory for user processes. Default: No cap Memory in MB allocated for shared memory usage. Default: 0 (no dedicated physical shared memory) IP address to dedicate to the container. Default: None.
(*) Required services for a container (or to create a container). (+) No default, these variables need a value to be assigned for adding or replacing the corresponding services.
16 Workload Container Workload containers provide access control based isolation of workload without utilizing namespace based isolation features. While not providing the user space virtualization properties of system containers, the absence of private file namespace usage allows the container to be more lightweight, and not require SD software synchronization with the global view, decreasing maintenance cost, and simplifying cloning and Serviceguard integration.
16.3 Security features HP-UX Containers provides a framework for managing container and networking security. This framework is primarily enforced with Security Containment compartment access rules. The default set of container access rules delivered with HP-UX Containers has been developed to favor functional isolation, application compatibility, and user session functionality over strong security containment.
16.6 Deploying applications In order to determine how to deploy applications for use by workload containers, you must first determine if the application is supported for single or multi-instance deployment. 16.6.1 Single instance applications While nearly all applications can be executed within a container environment, some applications do not support multiple instances of the same application executing on the same system concurrently.
installed entirely under the container home directory, customization of the container’s compartment rules is usually not necessary. Life cycle management, including cloning and migration of the container will also be simplified as the application files will be managed as part of the container. • Deploy files shared by multiple containers under the standard UNIX directories for hosting shared application files (for example, /opt/ and /usr/).
Templates Description to install a separate instance of the Oracle database software inside the container, you do not need to use this template. See 16.8.5 Oracle template. custom (Optional) Accommodates additional application. Allows defining application specific compartment access rules, ipfilter rules and provisioning. See 16.8.6 Custom template. 16.8.1 Workload template The workload template includes the following services and variables: Table 16.
Service Variable login login_group login_user init* autostart provision_fs delete_files_ok prm prm_group_name prm_group_type prm_cores prm_cpu_shares prm_cpu_max prm_mem_shares prm_mem_max prm_phys_mem network* ip_address(+) assign_ip iface(+) ip_mask gw_ip_address Description Default: root Comma separated list of existing groups authorized to login to the container. Default: None Comma separated list of existing users authorized to login to the container.
Service Variable ipfilter ipf_for_ipsec ipsec ipsec_peer_addr(+) ipsec_transform Description Default: Same as the IP address configured for this container. Specify whether to allow IPFilter rules to allow IPSec packets (Yes or No). Default: No. Destination IP address for the IPSec policies. Valid Input: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. Default: None Transform for IPSec host policy.
Service Description • Uses the SSH ssh-keygen utility to generate an RSA key pair to use for the sshd host key pair. These keys are stored in the container-specific sshd data path directory (/var/hpsrp/container_name/opt/ssh) with the following names: o o ssh_host_rsa_key (RSA private key) ssh_host_rsa_key.
Service Ipfilter Variable ipf_tcp_ports Variable Description Specifies the local TCP port numbers for IPFilter rules that allow inbound packets. Variable Name: ipf_tcp_ports. Valid Input: One or more TCP port numbers each in the range 1-65535, separated by commas. Default: 22. This is the IANA registered port number for SSH remote login. Provision data_path exec_path data_src Same as described in cmpt service. Same as described in cmpt service.
Service Description • Creating a container-specific http.conf file with container-specific configuration data, such as setting data paths to the appropriate directories below the container Apache home directory and setting the IP address to the container IP address. Enables the mod_ajp module for Apache Tomcat integration. • Creating container-specific initialization scripts and startup file to start Apache with the container-specific http.conf file when the container startup script is executed.
Service Variable https_port ajp_port ipf_tcp_ports provision wss_version, data_path http_port https_port ajp_port data_src user start_apache startssl_apache Description Valid Input: A TCP port number in the range 1-65535. Default: 80, the IANA registered port number for HTTP. Specifies the TCP port number on which the container Apache server will receive HTTPS (SSL) requests. Valid Input: A TCP port number in the range 1-65535. Default: 443, the IANA registered port number for HTTPS.
Service Description system rules to allow the container to access the specified Apache directories in global view. The srp command adds entries to the container rules file (/etc/cmpt/container_name.rules) that authorizes access to the directories specified in exec_path, data_path, and java_path variables. The srp command also adds an include statement to add the rules from the /opt/hpsrp/etc/cmpt/tomcat.srp_incl file. As delivered by HP, this file is empty.
Table 16.9 Variables for the tomcat template Service Variable Variable Description wss_version cmpt The HP-UX Webserver Suite version of Tomcat Servlet Engine to be used to configure the template Default: 3.0. exec_path The root directory for Tomcat executables. Default: /opt/hpws22/tomcat. data_src The directory from which you want to copy Tomcat data. The provision service creates a copy of this subtree and its contents and installs it in the specified data_path for use by the container.
16.8.5 Oracle template The oracledb template allows you to configure a container to share a single set of Oracle executables with other containers. You do not need to use this template if you are installing a separate instance of the Oracle executables in the container. Table 16.10 Services for the oracle template Service Description cmpt The cmpt service for the oracledb template configures Security Containment file system rules to allow the container to access the specified Oracle directories.
Service ipfilter Variable provision exec_path ipf_tcp_ports data_path Description Specifies the local TCP port numbers for IPFilter rules that allow inbound packets. Variable Name: ipf_tcp_ports. Valid Input: One or more TCP port numbers each in the range 1-65535, separated by commas. Default: 1521. This is the default port number for the Oracle Net Listener process (commonly referred to as the listener). Same as described in cmpt service. Same as described in cmpt service. 16.8.
all_access no_access ipfilter ipf_tcp_ports ipf_udp_ports provision script Specifies directories to configure with all access in the compartment rules file for this container. To specify multiple directories, use commas to separate directory names. Default: None. Specifies directories to configure with none access in the compartment rules file for this container.
17 Compatibility with other HP-UX products 17.1 Bastille revert feature Bastille provides the ability to save and restore a baseline configuration of an HP-UX system. If you use the bastille -r command to revert to the Bastille baseline configuration, you can lose any IPFilter rules configured using HP-UX Containers that are not in the baseline configuration. HP recommends that you do not configure the IPFilter service with HP-UX Containers if you are using Bastille to manage IPFilter rules.
18 Verifying and troubleshooting containers This chapter contains procedures for verifying and troubleshooting containers. This chapter addresses the following topics: NOTE: You can run system administration and performance tools (such as glance, gpm, kprof, kgmon, ktrace, and caliper) in the global view. 18.
o Use NFS to mount the depot from the remote server to the local filesystem. Once the software depot is available locally, run the swinstall command to point to the local source. • Scenario 4: The GUI version of the swinstall command does not work in the HP-UX Containers environment. Symptom: The swinstall command invoked with no command line options fails with the following error message: # swinstall ERROR: The interactive UI is not supported in SRP environment.
• Scenario 7: Process respawn does not work in the container. Symptom: Processes configured for respawn in the container's /etc/inittab file does not respawn.
One method to reduce the number of unrelated audit entries is to disable auditing for all users, then enable auditing for the user ID used to execute the application. Next, configure auditing for failed attempts for common file and IPC operations. For example: audevent -F -e open -e create -e delete -e ipccreat -e ipcopen \ -e ipcclose -s kill 18.3.
Compartment Default PRM Group _____________________________________________ EntDir EntDir MktDB MktDB MktWeb MktWeb SRP2 SRP2 The prmmonitor utility displays statistics for each PRM group. # prmmonitor PRM configured from file: File last modified: HP-UX habs /etc/prmconf Tue Oct 14 12:57:58 2008 B.11.
For example: # ipfstat -io pass out quick proto tcp from 192.0.2.1/32 to any keep state pass out quick proto udp from 192.0.2.1/32 to any keep state pass out quick proto icmp from 192.0.2.1/32 to any keep state pass in quick proto icmp from any to 192.0.2.1/32 block in quick from any to 192.0.2.1/32 18.3.
Rule Name: SRP-web2-base-1 ID: 8 Cookie: 3 Priority: 30 Src IP Addr: 192.0.2.1 Prefix: 32 Port number: 0 Dst IP Addr: 10.2.2.
18.4.2 Removing or disabling IPFilter If you are using IPFilter with HP-UX Containers, you can see if IPFilter rules are blocking access to the container applications. You can do this by removing the ipfilter service from the container, as follows: srp -d container_name [-t template] -s ipfilter If you do not specify the -t argument, the srp command removes the IPFilter configuration for the template ( base for the workload container and system for the system container).
contract for your product, you can still obtain support services for a fee, based on the amount of time and material required to solve your problem. 4. If you are requested to supply any information pertaining to the problem, gather the necessary information and submit it. Include the following information: • The output from the following command: srp -l container_name –v • The contents of the container initialization log file, /var/hpsrp/container_name/etc/rc.log.
Glossary compartment Security Containment compartments. Manages isolation and privilege restrictions for sets of HP-UX processes. Each container includes a corresponding compartment definition. container A container provides process view isolation, IPC isolation, and a dedicated IP address interface. HP-UX Containers includes two types of containers: system and workload. container administrator A global view user that has been granted the administrator role to manage one or more containers.
private file system A system container subtype. The private file system has only the /stand directory from the global view. All other directories are private to the container. shared file system A system container subtype. The shared file system has the /usr, /sbin, and /stand directories from the global view mounted as read-only. All other directories are private to the container. system container System containers provide process view isolation, IPC isolation, and a dedicated IP address interface.
Appendix A: Container default route script for Serviceguard The following script can be used by a Serviceguard package to assign a default route for an IP address associated with a container. This script is included with the HP-UX Containers Serviceguard Reference Implementation for containers and is installed with the HP-UX Containers product at: /opt/hpsrp/example/serviceguard/srp_as_sg_package/srp_route_script # # # # # # # # # # # # # # Copyright (c) 2009 Hewlett-Packard Development Company L.P.
# SRP_SG_GATEWAY[1]="10.1.1.1" # ################################################################### . `dirname $0`/srp_script.
then # use local IP as gateway emsg=$(/usr/sbin/route delete default $srp_gateway 0 \ source $srp_ip 2>&1) else # use remote gateway emsg=$(/usr/sbin/route delete default $srp_gateway 1 \ source $srp_ip 2>&1) fi if (($? != 0)); then print "ERROR: $emsg" >$2 rval=1 fi let index=$index+1 done return $rval } ################ # main routine ################ sg_log 5 "SRP routing entry configuration script" ######################################################################### # # Customer defined external sc
Appendix B: Direct customization of container properties In most cases, the srp command is sufficient to modify the properties of a container. However, you can directly modify the container specific scripts of system configuration entries to: • • • Execute customer defined operations from the global view when a container is created, deleted, or started and stopped (not supported for system containers). Customize security containment definition (not supported for system containers).
# cd /opt/hpsrp/etc/ # cp base.srp_incl myCustom.srp_incl 2. Remove the rules in the original (base.srp_incl) file. This creates an empty security compartment rules file. A container that uses only this file for its compartment rule set will have no access to any files, system IPC, or network interfaces. NOTE: Creating an empty security compartment rules file for the base template files affects all containers using this file, including those previously created.
The specific tag format for each subsystem is described in the sections that follow. B.2.2.2 Security Containment compartment tag format NOTE: Customization of the Security Containment compartment rules file is not supported for system containers. Data is stored in the /etc/cmpt/container_name.rules file by default.
IPv6 Interfaces The data is similar for IPv6 interfaces, with the following differences: • • • The data is stored in the /etc/rc.config.d/netconf-ipv6 file. The names of the interface parameters are correct for IPv6 interfaces, such as IPV6_INTERFACE, IPV6_ADDRESS, IPV6_INTERFACE_STATE. HP-UX Containers does not add or manage IPv6 route entries. B.2.2.5 PRM Tag Format Data is stored in the /etc/prmconf file by default.
Appendix C: Template services – detailed description C.1 The cmpt service The cmpt Service configures an HP-UX Security Containment compartment, which forms the core of each container. You must use the cmpt service when you create a container. C.1.
• Assigns the authorization hpux.SRPadmin-container_name to execute the container master startup script /opt/hpsrp/bin/srp_rc in the container. This enables the administrator to start up and shut down the container. The RBAC cmdprivadm add command is used to perform this task. Configuring an administrative user does not grant that user login or srp_su access to the compartment. C.3 The prm service The prm service creates a new PRM group for a container.
Route information The srp command provides an option to add or modify the default gateway routing table entry for the container IP address. The container IP address is always used as the source IP address. If no target default gateway IP address is provided, the container IP address is used, with a hop (route) count set to 0. If a target default gateway IP address is provided, the hop (route) count is set to 1. The srp command adds the routing configuration data to /etc/rc.config.
• 11 Container startup and shutdown. C.6 The login service (workload containers) The login service enables you to specify the set of users and user groups whose members are authorized to log in to the container. If you do not configure the login service and you are using the default RBAC system configuration, only the root user is authorized to log in to the container. You can use the login service to grant non-root users the authorization to log in to the container. C.6.
If the container address is an IPv6 address, the last rule is pass out quick proto icmpv6 from container_address to any keep state. • A rule that allows inbound ICMP packets from any address to the container IP address: pass in quick proto icmp from any to container_address If the container address is an IPv6 address, the rule is pass in quick proto icmpv6 from any to container_address.
The IKE policy specifies parameters used to establish an IKE security association with the specified remote IP address. The authentication method is PSK (preshared key). The default HP-UX IPSec values are used for all other parameters. • An authentication record The authentication record contains the specified remote IP address and preshared key value. The default HP-UX IPSec values are used for all other parameters.
Technology for better business outcomes © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
